TR: [Labrea-users] Listening on multiple logical segments
Status: Abandoned
Brought to you by:
lorgor
Menu
▾
▴
TR: [Labrea-users] Listening on multiple logical segments
|
From: Gordon, L. <Lor...@te...> - 2004-02-23 15:10:38
|
Interesting question so am posting thread. lorgor -----Message d'origine----- De : Gordon, Loren=20 Envoy=E9 : Monday, February 23, 2004 9:44 AM =C0 :=20 Objet : RE: [Labrea-users] Listening on multiple logical segments Keith, Your comment is correct. Labrea handles only one capture subnet. Am at home recovering from a sinus operation (not your problem!) so = can't fool around with tests. The idea of running multiple instances of labrea is one I haven't = tested. Does it work correctly for you? Will it work in general? Depends on libdnet. FWIW can't think of any = reason off-hand. YMMV. Why didn't you define a larger address space and then use the = configuration file "exclude" to tell labrea not to touch the live blocks? (ie capture "everything" but don't touch this or this or that) Too much work / too = many disjointed class C subnets? Capture subnet too big? You can manually define the capture subnet using the --network = parameter. With CIDR notation (xx.xx.xx.xx/nn), you can specify the subnet mask as well. This would be another way to get one instance of labrea to not = capture the other one's subnets. I've always thought labrea had too much flexibility / too many = parameters. However your need is new (to me) and is reasonable. Labrea could be modified to handle multiple capture subnets, but this = would require major surgery. Would have to hear from others that this is = generally required before deciding to invest the time and effort required to do = the modification. Thanks for a very interesting question. Hope this helps, lorgor -----Message d'origine----- De : Keith Envoy=E9 : Thursday, February 19, 2004 10:05 AM =C0 : lab...@li... Objet : [Labrea-users] Listening on multiple logical segments Hello Labrea list, I'm running Labrea on a physical segment that "sees" ARP whois resquest broadcasts on multiple logical networks i.e. more than one class C block or subnets thereof. I could not find a way to tell Labrea to handle more than one block of addresses so I tested running two instances of Labrea passing the second block with a -n=20 argument. The log output shows addresses from both blocks being captured. Question: Is this the most efficient way to accomplish what I want (running a separate instance for each address block)? Would I run into a problem other than resource consumption if I ran say 8 or 16 or 32 instances of Labrea on the same box each handling a different logical network? Is there a way to specify multiple blocks in the conf or CLI for a single instance? -Keith |
